You are previewing RADIUS.
O'Reilly logo
RADIUS

Book Description

The subject of security never strays far from the minds of IT workers, for good reason. If there is a network with even just one connection to another network, it needs to be secured. RADIUS, or Remote Authentication Dial-In User Service, is a widely deployed protocol that enables companies to authenticate, authorize and account for remote users who want access to a system or service from a central network server. Originally developed for dial-up remote access, RADIUS is now used by virtual private network (VPN) servers, wireless access points, authenticating Ethernet switches, Digital Subscriber Line (DSL) access, and other network access types. Extensible, easy to implement, supported, and actively developed, RADIUS is currently the de facto standard for remote authentication. RADIUS provides a complete, detailed guide to the underpinnings of the RADIUS protocol, with particular emphasis on the utility of user accounting. Author Jonathan Hassell draws from his extensive experience in Internet service provider operations to bring practical suggestions and advice for implementing RADIUS. He also provides instructions for using an open-source variation called FreeRADIUS. "RADIUS is an extensible protocol that enjoys the support of a wide range of vendors," says Jonathan Hassell. "Coupled with the amazing efforts of the open source development community to extend RADIUS's capabilities to other applications-Web, calling card security, physical device security, such as RSA's SecureID-RADIUS is possibly the best protocol with which to ensure only the people that need access to a resource indeed gain that access." This unique book covers RADIUS completely, from the history and theory of the architecture around which it was designed, to how the protocol and its ancillaries function on a day-to-day basis, to implementing RADIUS-based security in a variety of corporate and service provider environments. If you are an ISP owner or administrator, corporate IT professional responsible for maintaining mobile user connectivity, or a web presence provider responsible for providing multiple communications resources, you'll want this book to help you master this widely implemented but little understood protocol.

Table of Contents

  1. RADIUS
    1. SPECIAL OFFER: Upgrade this ebook with O’Reilly
    2. Preface
      1. Audience
      2. Organization
      3. Conventions Used in This Book
      4. How to Contact Us
      5. Acknowledgments
    3. 1. An Overview of RADIUS
      1. An Overview of AAA
        1. Authentication
        2. Authorization
        3. Accounting
      2. Key Points About AAA Architecture
      3. The Authorization Framework
        1. Authorization Sequences
        2. Roaming
        3. Distributed Services
        4. Policies
        5. Resource and Session Management
      4. And Now, RADIUS
        1. A Brief History
        2. Properties of RADIUS
        3. Limitations of RADIUS
    4. 2. RADIUS Specifics
      1. Using UDP versus TCP
      2. Packet Formats
        1. Code
        2. Identifier
        3. Length
        4. Authenticator
      3. Packet Types
        1. Access-Request
        2. Access-Accept
        3. Access-Reject
        4. Access-Challenge
      4. Shared Secrets
      5. Attributes and Values
        1. Attributes
          1. Attribute types
          2. Vendor-specific attributes
        2. Values
        3. Dictionaries
      6. Authentication Methods
        1. PAP
        2. CHAP
        3. Selecting PAP, CHAP, or Other Protocols
      7. Realms
      8. RADIUS Hints
    5. 3. Standard RADIUS Attributes
      1. Attribute Properties
        1. Callback-ID
        2. Callback-Number
        3. Called-Station-ID
        4. Calling-Station-ID
        5. CHAP-Challenge
        6. CHAP-Password
        7. Class
        8. Filter-ID
        9. Framed-AppleTalk-Link
        10. Framed-AppleTalk-Network
        11. Framed-AppleTalk-Zone
        12. Framed-Compression
        13. Framed-IP-Address
        14. Framed-IP-Netmask
        15. Framed-IPX-Network
        16. Framed-MTU
        17. Framed-Protocol
        18. Framed-Route
        19. Framed-Routing
        20. Idle-Timeout
        21. Login-LAT-Group
        22. Login-LAT-Node
        23. Login-LAT-Port
        24. Login-LAT-Service
        25. Login-IP-Host
        26. Login-Service
        27. Login-TCP-Port
        28. NAS-Identifier
        29. NAS-IP-Address
        30. NAS-Port
        31. NAS-Port-Type
        32. Port-Limit
        33. Proxy-State
        34. Reply-Message
        35. Service-Type
        36. Session-Timeout
        37. State
        38. Terminate-Action
        39. User-Name
        40. User-Password
        41. Vendor-Specific
    6. 4. RADIUS Accounting
      1. Key Points in RADIUS Accounting
      2. Basic Operation
        1. More on Proxying
      3. The Accounting Packet Format
        1. Code
        2. Identifier
        3. Length
        4. Authenticator
        5. Reliability of Accounting
      4. Accounting Packet Types
        1. Accounting-Request
        2. Accounting-Response
      5. Accounting-specific Attributes
        1. Acct-Status-Type
        2. Acct-Delay-Time
        3. Acct-Input-Octets
        4. Acct-Output-Octets
        5. Acct-Session-ID
        6. Acct-Authentic
        7. Acct-Session-Time
        8. Acct-Input-Packets
        9. Acct-Output-Packets
        10. Acct-Terminate-Cause
        11. Acct-Multi-Session-ID
        12. Acct-Link-Count
    7. 5. Getting Started with FreeRADIUS
      1. Introduction to FreeRADIUS
      2. Installing FreeRADIUS
        1. The clients File
        2. The naslist File
        3. The naspasswd File
        4. The hints File
        5. The huntgroups File
        6. The users File
        7. The radiusd.conf File
        8. Testing the Initial Setup
      3. In-depth Configuration
        1. Configuring radiusd.conf
          1. pidfile
          2. user and group
          3. max_request_time
          4. delete_blocked_requests
          5. cleanup_delay
          6. max_requests
          7. bind_address
          8. port
          9. hostname_lookups
          10. allow_core_dumps
          11. regular and extended expressions
          12. log
          13. lower_user and lower_pass
          14. nospace_user and nospace_pass
        2. Configuring the users File
          1. A sample complete entry
          2. DEFAULT entries
          3. Prefixes and suffixes
          4. Using RADIUS callback
          5. Completely denying access to users
      4. Troubleshooting Common Problems
        1. Linking Errors When Starting FreeRADIUS
        2. Incoming Request Passwords Are Gibberish
        3. NAS Machine Ignores a RADIUS Reply
        4. CHAP Authentication Doesn’t Work Correctly
    8. 6. Advanced FreeRADIUS
      1. Using PAM
      2. Proxying and Realms
      3. Using the clients.conf File
      4. FreeRADIUS with Some NAS Gear
        1. Ascend Equipment
        2. Cisco Equipment
        3. Nortel Equipment
        4. 3Com and US Robotics Equipment
      5. Using MySQL with FreeRADIUS
        1. Extending the MySQL Functionality
          1. Realm support
          2. Redundancy with MySQL
      6. Simultaneous Use
        1. When It Goes Pear Shaped
          1. 3Com and US Robotics equipment
          2. Ascend equipment
          3. Cisco equipment
      7. Monitoring FreeRADIUS
    9. 7. Other RADIUS Applications
      1. RADIUS for Web Authentication
        1. The Functionality
        2. Configuring the Module
        3. Using Challenge-Response with mod_auth_radius
        4. Limitations of the Module
      2. Using the LDAP Directory Service
        1. Configuring FreeRADIUS to Use LDAP
        2. Configuring CommuniGate Pro for LDAP Use
      3. Parsing RADIUS Accounting Files
        1. Generating Reports
          1. Example reports
        2. Using RadiusSplit
    10. 8. The Security of RADIUS
      1. Vulnerabilities
        1. MD5 and the Shared Secret
        2. The Access-Request Packet
        3. The User-Password Cipher Scheme
        4. The User-Password Shared Secret
        5. The User-Password Attribute and Password Attacks
        6. Attacks Using the Request Authenticator
          1. Repeated request authenticators and the User-Password attribute
          2. Shared secrets
      2. The Extensible Authentication Protocol
      3. Compensating for the Deficiencies
      4. Modifying the RADIUS Protocol
    11. 9. New RADIUS Developments
      1. Interim Accounting Updates
      2. The Apple Remote Access Protocol
      3. The Extensible Authentication Protocol
        1. Examples of an EAP Conversation
        2. Potential Uses
      4. Tunneling Protocols
      5. New Extensions Attributes
        1. Acct-Input-Gigawords
        2. Acct-Output-Gigawords
        3. Event-Timestamp
        4. Tunnel-Type
        5. Tunnel-Medium-Type
        6. Tunnel-Client-Endpoint
        7. Tunnel-Server-Endpoint
        8. Acct-Tunnel-Connection
        9. Tunnel-Password
        10. ARAP-Password
        11. ARAP-Features
        12. ARAP-Zone-Access
        13. ARAP-Security
        14. ARAP-Security-Data
        15. Password-Retry
        16. Prompt
        17. Connect-Info
        18. Configuration-Token
        19. EAP-Message
        20. Message-Authenticator
        21. Tunnel-Private-Group-ID
        22. Tunnel-Assignment-ID
        23. Tunnel-Preference
        24. ARAP-Challenge-Response
        25. Acct-Interim-Interval
        26. Acct-Tunnel-Packets-Lost
        27. NAS-Port-ID
        28. Framed-Pool
        29. Tunnel-Client-Auth-ID
        30. Tunnel-Server-Auth-ID
    12. 10. Deployment Techniques
      1. Typical Services
        1. System Shell Accounts
        2. Direct Connect Accounts
      2. RADIUS and Availability
        1. Determining Normal System Behavior
          1. Explicit requirements
          2. Derived requirements
        2. Points of Failure
        3. Planning to Fail
        4. Proactive System Management
        5. Case Studies in Deployment and Availability
          1. Scenario 1: A small, regional ISP
          2. Scenario 2: A corporation with branch offices
      3. Other Things RADIUS
        1. Other RADIUS Servers
        2. RADIUS Tools
    13. A. Attribute Reference
    14. Index
    15. About the Author
    16. Colophon
    17. SPECIAL OFFER: Upgrade this ebook with O’Reilly